Solved

TrueCrype - Finding ballance between usability and security

Posted on 2011-09-13
7
459 Views
Last Modified: 2012-05-12
I have a file server in a location which is a little out of the way. I understand that encrypting the system drive with TrueCRYPT means that authentication happens pre-boot. This would mean that physical access to the server is required after each restart (currently all [software] admin work is done through remote desktop).

My questions are:

a), does encrypting the sys drive increase data security if confidential information is already encrypted on an external drive, and the OS is basically a clean install shell....

b), if sys drive encryption is to be used, is it possible to have automatic encryption authentication? Does this sound a little pointless?!? The user account would still have a password though...

Feedback welcome!

Thanks guys
0
Comment
Question by:mpaert
7 Comments
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 250 total points
Comment Utility
As for encrypting the system drive, keep in mind that Windows does all kind of things all over the place, storing temporary files, swap files, etc on the system drive, so you have no say-so over where confidential information might end up at when being loaded off of the external drive. From that point of view, yes, encrypting the system drive will increase the security of the data.

Not sure what you mean with the encryption authentication though ...
0
 
LVL 25

Expert Comment

by:RobMobility
Comment Utility
Hi,

Do you have a KVM over IP solution on the server such as ILO or DRAC - would having access to this not enable you to authenticate via that console?

Regards.


RobMobility.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
Comment Utility
First of all: are you open to alternatives?
If your server (what OS?) would be windows server 2008, you could use bitlocker. And IF, yes, if the mainboard supports it, let bitlocker use the TPM chip of the board. This would be a wholedisk encryption without a password and the need for someone to be present at reboots.
"Would that be secure", you might ask. It depends. If someone manages to cold boot attack your server (see http://www.youtube.com/watch?v=JDaicPIgn9U for a demonstration), your data will be lost. Second way to get to your data would be the infamous Firewire hack http://www.youtube.com/watch?v=5N-C5s_07Ts - applicable only if a firewire port is present.
So you see, there are ways in and those are realistic. To have an entire system encrypted AND 100% secure AND handsfree (no password) is NOT possible - period.
------------

What IS possible handsfree is using truecrypt together with a keyfile. Let me explain:
Your file server (windows, I suppose) will have 2 partitions, OS and data. If you don't care about the OSD partition (you should not need to care about the pagefile, because the restricted documents do not get worked on at the server itself), just use Truecrypt to encrypt the data partition using no password but a keyfile (TC offers to do so). Now place that keyfile on a share of a remote server that noone has physical access to but you. Share permissions and NTFS permissions of that keyfile will have to be restricted, too (in our domain, we use the system account: fileserver$)
Next, create a scheduled task on your file server that uses truecrypt.exe scripted (batch script). TC can mount your whole partition using that keyfile totally unattended that way. Afterwards restart the server service with that script, too, to recreate the shares [shares are created at system startup normally - as we have to mount first, we need to use sc.exe to restart the server service afterwards]. Done. This is how our company solved that problem.

Now what would happen if a thief comes and steals the server? The data partition is encrypted, the thief would need the keyfile. Without, he is lost. So his only possibility to get to the data would again be the cold boot attack and firewire BUT this time he would have to perform this attack while the data partition is mounted which means RIGHT AT YOUR COMPANY and not in his cosy hideout with lots of time and planning. Once he turns off the machine, the keyfile is gone.

Two last things:
1 you will need to be aware that this keyfile is really important and keep a backup of it secured somewhere. Best would be to keep it on two server's shares and use the second one if the first one is not available. Remember: both of these servers need to be physically secured.
2 Adjust your file server backup to your new needs.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 53

Expert Comment

by:McKnife
Comment Utility
One more thing about the scheduled task that does the mounting: it must be run at system startup (and as I proposed using the account: system which does not need a password to be entered=leave it blank if asked for one).
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
> Feedback welcome!
Same on my side :)
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now